Tomcat non SSL behind Apache SSL

First let me explain our setup. In front we have a Apache 2.2 with SSL. Our users can access the site using http. A certain URL is mapped to a Tomcat running in the background. This mapping was done using mod_proxy. In the beginning I had to enable the preserverhost option. Otherwise the request.getRequestURL() is the request Apache made to the Tomcat.

Today I had to install a SSL certificate (signed by Verizon). The configuration was actually straightforward and after a restart I checked the main page and everything was working. Then I tried loging in and suddenly I was back to plain http. Hmmm strange, so I checked my code. After login I did a redirect (using Spring MVC “redirect:/”). After some googling I found a setting that would help RequestHeader set Front-End-Https “On”

(Don’t forget to include the headers module!) After a restart it still didn’t work, after fiddling around with my settings I found the solution. It seems if you combine the RequestHeader setting with the ProxyPreserveHost this doesn’t work. If you disable the ProxyPreserveHost setting but leave the RequestHeader enabled everything is working fine. The problem now is that your request.getRequestURL() is not the URL your customer is using. Luckily I could solve this by doing request.getHeader(“referer”) note that this probably won’t work in every situation (but in our case it does). Hopes this helps some people who are searching for the same solution.

One Reply to “Tomcat non SSL behind Apache SSL”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.